LEGAL · PRIVACY POLICY

Privacy Policy

Last updated · April 2026

Staso AI Inc. ("Staso," "we," "us," or "our") operates the platform at staso.ai and associated SDKs. This Privacy Policy describes how we collect, use, and share information when you use our website, dashboard, APIs, and developer tools (collectively, the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you join an organization, we also store your role and permissions within that workspace.

1.2 Agent Trace Data

When you integrate our SDK into your applications, we collect agent execution data including:

  • LLM request and response payloads
  • Tool call names, inputs, and outputs
  • Token usage and latency metrics
  • Session and conversation metadata
  • Error messages and stack traces

This data is sent by your application through our SDK. You control what data is instrumented and transmitted.

1.3 Automatic PII Redaction

Our SDK and ingestion pipeline automatically detect and redact personally identifiable information (PII) — such as email addresses, phone numbers, and credentials — before trace data is stored. Redaction is applied by default on all plans.

1.4 Usage and Analytics Data

We collect standard analytics data including page views, feature usage, browser type, device information, and IP address. We use PostHog for product analytics.

1.5 Communication Data

If you contact us at [email protected] or through other channels, we retain the contents of those communications.

2. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Display agent traces, metrics, and monitoring dashboards to you
  • Enforce runtime firewall rules and evaluation policies
  • Manage your account, organization, and team permissions
  • Send transactional emails (account verification, alerts)
  • Detect and prevent abuse or unauthorized access
  • Respond to support requests

We do not use your agent trace data to train machine learning models. Your trace data is used exclusively to provide the Service to you.

3. Data Retention

Trace data retention depends on your plan:

  • Personal (Free): 7 days
  • Team: 30 days

After the retention period, trace data is permanently deleted. Account information is retained for as long as your account is active. You can request deletion of your account and associated data at any time.

4. Data Storage and Security

Trace data is stored in ClickHouse. Account and organization data is stored in PostgreSQL. All data is encrypted in transit (TLS) and at rest. Our infrastructure runs on Kubernetes with access controls and audit logging.

We implement industry-standard security measures to protect your data. However, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please report it to [email protected].

5. Data Sharing

We do not sell your personal information. We share data only in the following circumstances:

  • Within your organization: Team members with appropriate permissions can view shared traces and dashboards.
  • Service providers: We use third-party services to operate the platform (cloud infrastructure, email delivery via Resend, analytics via PostHog). These providers process data on our behalf under contractual obligations.
  • Legal requirements: We may disclose information if required by law, subpoena, or government request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to or restrict certain processing activities

To exercise any of these rights, contact us at [email protected].

7. Cookies and Tracking

We use essential cookies for authentication and session management. Our analytics provider (PostHog) may set cookies to measure product usage. We do not use third-party advertising cookies.

8. International Data Transfers

Your data may be processed in countries other than your own. We take steps to ensure that data transfers comply with applicable data protection laws and that your data receives adequate protection.

9. Children's Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, where appropriate, through the Service or via email.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: [email protected]